This is the second part of a three part article on password and account management. In this part, I’ll be going over password manager programs, using strong passwords, and multi-factor authentication.
Password managers are programs that allow people to store all of their usernames and passwords in an encrypted database. This allows people who use password managers to remember just one password – the master password to the password manager program. When the user of a password manager wants to log into a site or service, the user fills in their master password and the password manager software makes their user name and password for that site available to them. This also means that users can make their passwords ridiculously long, random, and complex because they don’t have to remember them. The features and capabilities of password managers vary from program to program. Here are a few options that I considered for my own use:
KeePass is a free, open source password manager. User’s log in information is stored in a local database that is secured using the very strong AES and Twofish encryption algorithms. This means that it would be very difficult for an attacker to steal your usernames and passwords, even if the attacker was able to pilfer a copy of the database file that contained them.
There are several free mobile apps that access your KeePass database using Dropbox. The advantage to keeping your KeePass database in Dropbox is that you can then use KeePass on any computer or mobile device that you have a Dropbox synch folder set up on. There is a portable version of KeePass that can be loaded on to a USB thumb drive which would allow you to use KeePass on a computer running most versions of Windows. KeePass is available for most Windows, Linux, and Mac operating systems.
Please keep in mind that KeePass is free, so there is no support number to call if something doesn’t work right. If your database file becomes corrupted, or you lose your master password, you’re on your own.
1Password is a password manager that costs about $50. There are versions available for Mac, Windows, IOS, and Android. Like KeePass, 1Password allows you to make your password database available to multiple computers by placing it in a Dropbox sync folder.
There’s a really neat feature that 1Password users who are using 1Password in conjunction with Dropbox can take advantage of. If you are using a computer that is not your own and you need to access a password stored in 1Password, you can do so by logging into your Dropbox account and browsing to your 1Password folder. The 1Password folder contains an HTML file that you can open and once you supply your master password, you can access your log in information saved in 1Password.
There are browser extensions for most popular browsers (Chrome, FireFox, Safari, etc..) which allows users to automatically fill in user names and passwords and other information for sites, so that users don’t have to copy and paste that information from the 1Password program.
LastPass is a full featured password manager. There is a free version and a premium version. Both versions use 256-bit AES (currently very strong) encryption to encrypt your user names and passwords. LastPass uses it’s own service, instead of Dropbox to make your user names and passwords available to you over multiple computers and mobile devices. LastPass uses your computer or mobile device to perform the encryption so the password database that gets saved on LastPass’ servers cannot be read by anyone else – not even LastPass employees.
There are versions of LastPass available for Windows, Mac, and most popular Linux distributions. It’s also available for most mobile devices including IOS, Android, Blackberry, and even *shudder* Windows phones. There is also a version of LastPass that works on a USB thumb drive. I should mention here that one of the major differences between the free and premium versions of LastPass is that you have to have the premium subscription (a whopping 1$ per month) to use LastPass with most mobile devices.
Another thing that really stands out to me is that LastPass works well with multi-factor authentication, which is something I’ll be covering in more detail later. LastPass works with the Yubikey and with Google Authenticator.
Password strength or complexity describes the quality of a password based on how long it is and how many different types of characters are in it. For many years, popular wisdom was that a good password was at least eight characters long and as long as there were symbols, upper, ans lower case letters and numbers.
Turns out that a person doesn’t have to use a password that contains numbers, symbols, and other assorted characters in order for it to be “secure”; the password just has to be long enough. As a password increases in length, the time and processing power required to crack or guess it, increases exponentially. This is where a pass-phrase comes in. A pass-phrase is basically just a password that is made up of multiple different words. For instance, a good pass-phrase would be “Cannon poke monkey eyes”. The folks over at XKCD explained it very well in this comic: http://xkcd.com/936/
“Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.” – Jesse McGrew www.schneierfacts.com
A factor of authentication is something unique that a person knows, possesses, or is. Factors of authentication are used to confirm that a person is who they claim to be and are commonly used when a person logs into a computer or website. An example of single-factor authentication would be a password. The problem with having a password as a single-factor of authentication is that a password can be guessed, or stolen, or cracked (un-encrypted).
Introducing another factor of authentication (in addition to a password) such as a user’s fingerprint makes it much more difficult for another person to access your accounts and services without your permission. When Twitter’s multi-factor authentication option is turned on, a user must supply a user name and password to log in as well as a code that Twitter sends in a text message to the user’s phone. More and more, websites like Twitter are embracing multi-factor authentication.
Some security-minded folks over at http://twofactorauth.org have compiled a list of websites and services that work with multi-factor authentication. Multi-factor authentication isn’t infallible but it is generally much more secure than just using a password. I highly recommend considering taking advantage of multi-factor authentication to further secure your accounts.
Okay, if I haven’t totally lost your attention yet, we’re in good shape. This part of the article was by far the largest and most in-depth part of the series. Next up, the third and final part of the series in which I talk about how I used each of the concepts discussed above to improve my own security practices.